Simple and secure setup solution for gotenberg on Render.com

[bitshaker]

I'm looking for simple step by step instructions to setup gotenberg on render.com

I can set up the gotenberg service as a web service, but given that it's just open to anyone, I don't want to do that as I have no way to authenticate users and block unauthorized users.

To try and fix this, I'm working on setting up kong in front as a proxy to gotenberg set up as a private service.

I'm in configuration hell and I'm wondering if there's an easier way. Issues raised here seem to imply that running the service in an open manner is bad, but then don't give clear instructions on how to secure the service.

I'm running an app on bubble.io and need to make calls over the internet to my render.com instance of gotenberg. Basic Auth security or something similar is perfectly fine with me. I just don't want to have the world use my instance.

Is there a way to set things up securely so that I haven't exposed it to the world as a web service?

[gulien]

Hello @bitshaker,

Having two platforms on different networks, your approach (using a reverse proxy) is actually the correct one IMO. I'm not familiar with Kong though, so good luck 😄

[bitshaker]

Any reverse proxies you recommend? I’m happy to use whatever works.

[gulien]

Traefik or nginx have both plenty of resources available online 👍

[bitshaker]

I was able to set up a private git repo with a Dockerfile to make Nginx into a reverse proxy and deployed directly to render.com using these instructions. https://www.theserverside.com/blog/Coffee-Talk-Java-News-Stories-and-Opinions/Docker-Nginx-reverse-proxy-setup-example and https://medium.com/pernod-ricard-tech/adding-basic-authentication-with-nginx-as-a-reverse-proxy-a229f9d12b73

For security by obscurity sake, I left everything the same and the only route that's forwarded is the route to the pdf conversion with chrome that I needed.

Then, I added basic authentication as that was easy to do in the Dockerfile I set up.

Here's what the default.conf file looks like

server {
    listen       80;
    listen  [::]:80;
    server_name  localhost;

    #access_log  /var/log/nginx/host.access.log  main;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }
    
    location /forms/chromium/convert/html {
        auth_basic             "Restricted";
        auth_basic_user_file   .htpasswd;

        proxy_pass http://my-gotenberg-instance:3000/forms/chromium/convert/html;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
    #
    #location ~ \.php$ {
    #    proxy_pass   http://127.0.0.1;
    #}

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    #location ~ \.php$ {
    #    root           html;
    #    fastcgi_pass   127.0.0.1:9000;
    #    fastcgi_index  index.php;
    #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
    #    include        fastcgi_params;
    #}

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    #location ~ /\.ht {
    #    deny  all;
    #}
}

And the Dockerfile looks like this

FROM nginx:latest

# Install apache2-utils to get htpasswd command
RUN apt-get update -y && apt-get install -y apache2-utils && rm -rf /var/lib/apt/lists/*

# Basic auth credentials
ENV BASIC_USERNAME=username
ENV BASIC_PASSWORD=password

# Forward host and foward port as env variables
# google.com is used as a placeholder, to be replaced using environment variables
ENV FORWARD_HOST=http://my-gotenberg-instance:3000
ENV FORWARD_PORT=3000

# Nginx config file
WORKDIR /
RUN htpasswd -c -b /etc/nginx/.htpasswd $BASIC_USERNAME $BASIC_PASSWORD
COPY default.conf /etc/nginx/conf.d/default.conf